#!/bin/bash
#
# Usage: git-credential-ghtoken <operation>
#
# Allows `git` to authenticate with GitHub using `GH_USER` and `GH_TOKEN`
# environment variables.
#
# To install this:
#
#     git config --global credential.https://github.com.helper \
#         "$(pwd)/scripts/git-credential-ghtoken"
#
# Or copy it into your path and run:
#
#     git config --global credential.https://github.com.helper ghtoken
#
#
# Copyright (c) 2018 Faraday, Inc.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# Standard paranoia.
set -euo pipefail

# Parse our command-line arguments.
operation="$1"

# Ignore all operations besides `get`.
if [ "$operation" != get ]; then
    exit 0
fi

# Quit now if we don't have the necessary environment variables.
if [ ! -v GH_USER ] || [ ! -v GH_TOKEN ]; then
    exit 0
fi

# Parse the input we receive from `git`.
while read line; do
    var="$(echo "$line" | sed 's/=.*$//')"
    val="$(echo "$line" | sed 's/^.*=//')"
    case "$var" in
        # Only send credentials over HTTPS.
        protocol)
            if [ "$val" != https ]; then
                exit 0
            fi
            ;;
        # Only send credentials to GitHub (just extra paranoia; change as
        # needed).
        host)
            if [ "$val" != github.com ]; then
                exit 0
            fi
            ;;
    esac
done

# Output our credentials.
cat <<EOD
username=$GH_USER
password=$GH_TOKEN
EOD
